How to use docker swarm unlock command to unlock a swarm manager

Introduction

In this lab, you will learn how to use the docker swarm unlock command to unlock a Docker swarm manager after the Docker daemon has been restarted with the autolock feature enabled. We will begin by initializing a swarm with autolock enabled, which generates a unique unlock key.

Next, we will simulate a Docker daemon restart on the manager node to trigger the autolock mechanism. Finally, you will use the docker swarm unlock command with the previously obtained unlock key to successfully unlock the swarm manager, allowing it to resume its operations.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker(("Docker")) -.-> docker/SystemManagementGroup(["System Management"]) docker/ContainerOperationsGroup -.-> docker/ps("List Running Containers") docker/ContainerOperationsGroup -.-> docker/restart("Restart Container") docker/SystemManagementGroup -.-> docker/system("Manage Docker") subgraph Lab Skills docker/ps -.-> lab-555244{{"How to use docker swarm unlock command to unlock a swarm manager"}} docker/restart -.-> lab-555244{{"How to use docker swarm unlock command to unlock a swarm manager"}} docker/system -.-> lab-555244{{"How to use docker swarm unlock command to unlock a swarm manager"}} end

Initialize a swarm with autolock enabled

In this step, we will initialize a Docker swarm with the autolock feature enabled. Autolock helps protect the swarm against unauthorized access by requiring a key to unlock the swarm after a Docker daemon restart.

First, let's initialize the swarm. We will use the docker swarm init command with the --autolock flag.

docker swarm init --autolock

You should see output similar to this, indicating that the swarm has been initialized and an unlock key has been generated. Make sure to copy the unlock key, as you will need it in the next step.

Swarm initialized: current node (xxxxxxxxxxxx) is now a manager.

To add a worker to this swarm, run the following command:

    docker swarm join --token SWMTKN-1-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 172.17.0.2:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

To unlock the swarm after it restarts, run the `docker swarm unlock` command and provide the following key:

    Swarm unlock key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The output provides the command to join a worker or manager to the swarm, and importantly, the Swarm unlock key. This key is crucial for unlocking the swarm after the Docker daemon is restarted.

Restart the Docker daemon on the manager node

In this step, we will simulate a Docker daemon restart on the manager node. This will demonstrate the effect of the autolock feature we enabled in the previous step.

To restart the Docker daemon, we will use the systemctl restart docker command. Since this requires root privileges, we will use sudo.

sudo systemctl restart docker

After the command executes, the Docker daemon will be stopped and then started again. This simulates a server reboot or a manual restart of the Docker service.

Now, let's try to run a simple Docker command to see the state of the swarm. We will use docker node ls.

docker node ls

You should see an error message indicating that the swarm is locked and needs to be unlocked. This confirms that the autolock feature is working as expected. The output will be similar to this:

Error: swarm is encrypted and needs to be unlocked before it can be used. Please use "docker swarm unlock" to unlock it.

This error message is expected because the swarm is now locked due to the Docker daemon restart. In the next step, we will use the unlock key obtained in Step 1 to unlock the swarm.

Use docker swarm unlock to unlock the manager

In this step, we will unlock the Docker swarm using the unlock key we obtained in Step 1. This will allow us to interact with the swarm again.

Recall the unlock key that was displayed when you initialized the swarm in Step 1. You will need to provide this key to the docker swarm unlock command.

Use the docker swarm unlock command followed by the --unlock-key flag and the unlock key you copied. Replace YOUR_UNLOCK_KEY with the actual key.

docker swarm unlock --unlock-key YOUR_UNLOCK_KEY

After executing the command with the correct unlock key, the swarm should be unlocked. You should see output indicating that the swarm was successfully unlocked.

Swarm unlocked.

Now that the swarm is unlocked, let's verify that we can interact with it again by listing the nodes in the swarm.

docker node ls

You should now see the details of the manager node, indicating that the swarm is operational. The output will be similar to this:

ID                            HOSTNAME            STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
xxxxxxxxxxxx   labex-vm            Ready     Active         Leader           20.10.21

This confirms that you have successfully unlocked the Docker swarm after the daemon restart.

Summary

In this lab, we learned how to use the docker swarm unlock command to unlock a swarm manager after a Docker daemon restart when the swarm was initialized with the autolock feature enabled. We began by initializing a Docker swarm using docker swarm init --autolock, which generated a unique unlock key essential for regaining access to the swarm after a restart. We then simulated a Docker daemon restart on the manager node using sudo systemctl restart docker to trigger the autolock mechanism. This demonstrated the importance of the unlock key obtained during initialization.